By its nature, a smart electrical grid improves efficiencies by better utilizing information in the operation and management of an electricity system. Gathering and processing information about consumers of electricity is central to a smart grid. This is illustrated by the U.S. Department of Energy's definition of "smart grid" which is set out below:
"A smart grid is an electrical grid that uses computers and other technology to gather and act on information, such as information about the behaviors of suppliers and consumers, in an automated fashion to improve the efficiency, reliability, economics, and sustainability of the production and distribution of electricity."
Given the central role that consumer information plays in the concept of a smart grid, it is not surprising that issues of privacy often arise when the smart grid is discussed. It is also not surprising, given the public's relative lack of understanding of the electrical grid and how it operates, that privacy concerns about the smart grid have risen to extremes. For example, the Toronto Star newspaper ran a story in its May 12, 2011 issue entitled "Can smart grid know too much?". The article included photographs of terrified individuals with the caption "They know when you are sleeping…they know when you're awake…they know when you're in the shower!"
Fears about taking showers aside, consumer concerns about how the smart grid treats their personal information are warranted. With the development of the smart grid, new avenues for the collection of personal information, such as smart meters, have been implemented and entirely new libraries of personal energy use information have been created. Ontario's Privacy Commissioner Dr. Anne Cavoukian summarized the implication of these privacy concerns as follows:
"The underlying rationale is that consumer confidence and trust in the Smart Grid, and in one's local electricity distributors, is vital in achieving the vision of a more energy efficient electrical grid."
In recent years the Ontario Independent Electricity System Operator ("IESO") has taken great strides to make Ontario's electrical grid significantly "smarter". These strides include the design, operation and administration of a Smart Metering Entity and a related central meter data repository for Ontario's electricity market. This article will document how the IESO's design, operation and administration of Ontario's Smart Metering Entity and its central meter data repository has designed privacy protections into the control framework for Ontario's smart meter data management system.
For consumers of electricity, an understanding of how privacy protections have been embedded into these new developments will help dispel fears about how personal information is treated by the smart grid. For organizations, the IESO's Smart Metering Entity provides an example of how to build proactive, default privacy controls into complex data management systems. Organizations planning to build or implement such systems of their own should look to the IESO's accomplishments for a better understanding of how systems can be designed and implemented to comply with privacy requirements.
Ontario's Smart Metering Initiative and the MDM/R
Ontario's Smart Metering Initiative (SMI), led by the Government of Ontario, is intended to create a conservation culture and support demand management through province-wide smart meter deployment. The SMI intends to support a more sustainable and efficient electricity system by:
- Laying the foundation for a Smart Grid
- Improving reliability
- Improving operating efficiency
- Increasing conservation
- Providing more accurate and timely energy use information
- Reducing or deferring the need for new power generators
As of February 2012, there were 4.7 million smart meters installed and over 3.8 million customers on time-of-use billing in Ontario.
In July 2007, the Government of Ontario designated the IESO as the Smart Metering Entity (SME) that will play a central role in the management of Ontario's system of smart meters. 
The IESO, as Ontario's independent electricity system operator, is responsible for monitoring Ontario's electricity system and identifying what is required to maintain its reliability. Acting as the SME, the IESO's role has been expanded to include the operation of a central meter data repository (the Meter Data Management and Repository, or "MDM/R") in support of Ontario's more than 70 local electricity distribution companies ("LDCs").
The MDM/R acts as a central hub providing a common platform for storing, processing and managing hourly electrical consumption information in a reliable and secure manner. The MDM/R receives consumption data daily from smart meters through the LDCs' systems. Working in conjunction with the LDCs' metering and billing systems, the MDM/R provides consumers with detailed, accurate and timely information about their electricity use.
The SME provides the following services:
- manages the MDM/R
- coordinates the MDM/R's design, technical architecture and standards
- manages changes to the MDM/R to ensure they are implemented in a controlled manner
- performs testing to ensure the MDM/R functions and operates as designed, and fulfils audit requirements
- provides first-level incident response and resolution
- coordinates shared services across IESO functions to fulfill its obligations as the SME.
Privacy and the MDM/R
Ontario's Privacy Commissioner and her work advocating privacy in the smart grid context are very familiar to Ontario's electricity industry. Commissioner Cavoukian is probably best known for espousing that seven foundational privacy principles, which she calls "Privacy by Design", be embedded in the smart grid from its initial design through implementation and operation.
These foundational principles are:
- Be Proactive, not Reactive
- Make Privacy the default setting
- Ensure privacy is embedded into the design
- Strive to achieve full functionality of the underlying technology in a positive-sum, not zero-sum, manner
- Instill security into the system in an end-to-end manner
- Ensure the system is transparent
- Ensure the smart grid is user-centric in a manner that respects user privacy
The following outlines how the IESO has successfully instilled these seven foundational privacy principles in the MDM/R and the operating policies and procedures that apply to it.
- Proactive Privacy
A proactive approach to privacy can be facilited through regular monitoring and audits of systems and managerial controls.
To accomplish this, the IESO has implemented an Enterprise Risk Management process to proactively address potential risks and to foster a risk conscious internal control environment. This process includes IESO Senior Management reviewing the risks to the administration and operation of MDM/R services on at least a quarterly basis and reporting to the IESO Board at least twice yearly. The IESO Internal Audit department reviews IESO operations and supporting information systems including the IESO's system of internal control, risk management and governance processes. Results of all such audits are reported in writing to IESO senior management and the audit committee of the IESO's board of directors.
- Privacy - the default setting
The IESO uses certain automatic technological processes and business practices to ensure that privacy is maintained in the MDM/R as the "default setting".
This is demonstrated by the IESO's use of controls to provide assurance that only authorized organizations are processed as registrants with access to the MDM/R. To do so, the IESO reviews organization registration applications and issues an Organization ID to the applicant. The IESO’s Operational Service Provider (OSP) sends details of additions to its file transfer service to the IESO who confirms that the update is complete and accurate.At this point the IESO exchanges self-signed certificates with the newly registered organization and the OSP loads a digital certificate into its web services connections to enable the new registrant, confirming completion of this step to IESO.
Only LDCs and their designated agents have the ability to provide information to, or pull information from, the MDM/R. The IESO does not share smart meter data with energy retailers or other agents of consumers. The LDC controls online read-only access to customer consumption data and daily billing quantity data, and is responsible for authorizing access to this data by retailers and other customer agents. The LDC will identify organizations authorized to access the online data, and will grant read-only access to retailers or other agents for those specific customers who have chosen to enter into contracts with energy retailers or other agents.
- Embedding Privacy into the MDM/R design
The IESO utilizes access controls to restrict access to the information in the MDM/R to authorized organizations and user accounts. Several automatic processes facilitate this restriction by default. These processes include:
- the MDM/R automatically restricts access to data to organizations who configured permissions during registration
- the MDM/R automatically notifies the LDC when files are transmitted to or from an LDC
- the MDM/R automatically associates manual verifications or edits made to data with the authorized user that is interacting with the system
- the MDM/R employs automatic restrictions on read-only use and editing use of data to authorized users
- requests for new user access or changes to existing user access must be made using originally signed prescribed forms. Each form must be reviewed and approved by the IESO
- new user Ids and passwords are sent directly to the requester in separate messages
- the MDM/R automatically authenticates user access through a login process that is governed by password control.The MDM/R uses the following controls to provide assurance that meter-read data it receives from LDCs is recorded in the MDM/R completely, accurately and in a timely manner:
- the MDM/R automatically checks incoming data to verify that relevant fields are populated, rejecting records that do not meet the required criteria
- the MDM/R automatically performs checks of data provided to it against master data
- exceptions revealed by the two checks mentioned above are automatically reported to the LDC To provide assurance that master data updates received by the MDM/R are processed completely, accurately and in a timely manner, the MDM/R:
- automatically processes, checks and tests synchronization file sets and reports errors found to the submitting organization
- automatically reports updates made by synchronizations to the submitting organization.
- End-to-end Security
The IESO instigated the following controls to ensure the MDM/R systems are secured to prevent unauthorized use, disclosure, modification, damage or loss of data:
- the IESO entered into an agreement with its systems service provider that requires the use of up to date access controls
- user access to the MDM/R system and data is based on documented and approved management requests
- the IESO performs quarterly reviews of all MDM/R user access to determine that the MDM/R's user lists align with the user lists maintained by the IESO's registration and enrollment group and identified exceptions are remediated within defined service levels
- only administrators designated by the IESO's systems service provider have access to add/remove/modify user Ids
- the IESO's systems service provider is required by contract to update user access to the MDM/R upon notice by the IESO on a timely basis
Security and other privacy protections are applied to the MDM/R on an "end-to-end" basis through a privacy-protected change management process. Change management controls are utilized to provide assurance that requested changes to the system are authorized, tested and implemented in a controlled manner so that unintended consequences (including unintended consequences for privacy) are prevented.
The following change management controls were put in place regarding the MDM/R:
- requested changes are documented, categorized and implementation risks are assessed
- the environment for the testing of the requested change is segregated from all production environments
- the scope and level of testing of the change is determined based on the level of risk and complexity associated with the change
- required testing must be reflected in test plans and test results that are accepted by IESO management
- IESO management must review and approve the request to promote the change to the production level
- defects identified in testing are either received prior to change implementation or are identified and communicated to the LDCs.
- System Transparency
To promote transparency, the IESO maintains a website for MDM/R service recipients that provides an overview of the SME, SME services, MDM/R governance documents, manuals and procedures and key contact information. The IESO's MDM/R Service Desk provides a single point of contact for information requests, service requests and reporting of incidents for MDM/R service recipients, including providing updates on status of requests and incidents.
The IESO users the following administrative controls to accountability, visibility and transparency of the business practices of the MDM/R's operational service provider:
- IESO management reviews the scope, control objectives, control descriptions and conclusions reported by the MDM/R service provider on a quarterly basis
- if exceptions affecting the MDM/R are identified in a service provider report, IESO management follows up with the service provider to develop a corrective action plan and to identify compensating controls to mitigate associated risks.
- Making the System User Centric
To ensure the MDM/R system meets user needs, IESO management monitors system performance against defined service levels and escalates problems with service providers and the IESO board. The IESO also meets weekly with its operational service provider to review issues and priorities with MDM/R service providers.
Responding appropriately to operations incidents is another key aspect of ensuring the MDM/R system satisfies user needs. The IESO has controls in place to provide reasonable assurance that operations incidents are identified, recorded, responded to, resolved or investigated, reviewed and analyzed in a timely manner. These controls include:
- identified operations issues are logged into the MDM/R's service desk system and classified into agreed upon severity categories
- updates regarding the incident status are provided to the incident originator on a periodic basis
- the IESO reviews and discusses resolution timeliness of outstanding issues on a periodic basis.
The management practices of Ontario's Smart Metering Entity and its design and administrative policies pertaining to Ontario’s Meter Data Management and Repository are examples of how privacy protections can be instilled in the smart grid "by design". A better understanding and communication of these practices and policies will help dispel consumer fears about how personal information is treated by the smart grid. Organizations can look to Ontario's IESO's practices and policies as examples of how to build proactive, default privacy controls into complex data management systems.